SYS ARCHITECTLearning Platform
Settings
Theory

OWASP (Open Web Application Security Project)

📋 Overview

OWASP is the gold standard for web application security. It is a non-profit foundation that works to improve the security of software through community-led open-source software projects, hundreds of local chapters worldwide, and tens of thousands of members. Its most influential output, the OWASP Top 10, serves as a critical awareness document for developers and web application security professionals.


🏗️ Core Principles & Characteristics

  • Neutrality: OWASP is vendor-neutral and not affiliated with any specific technology provider.
  • Community-Driven: Best practices are curated by security experts globally.
  • Actionable Standards: Projects like ASVS (Application Security Verification Standard) provide concrete checklists for verifying security requirements.
  • Proactive Security: Focuses on shifting security "left" in the SDLC (Software Development Life Cycle).

⚖️ Trade-offs: Pros & Cons

  • Pros: Standardizes security across the industry; provides free, high-quality tools (e.g., ZAP); highly regarded by auditors and compliance frameworks (PCI-DSS, SOC2).
  • Cons: The Top 10 list is updated every few years, meaning emerging threats (like AI-driven attacks) might take time to be "officially" ranked; implementation can be resource-intensive for small teams.

🌍 Real-World Implementation

The OWASP Top 10 (2021 Highlights):

  1. Broken Access Control: Implementing RBAC/ABAC at the API layer.
  2. Cryptographic Failures: Moving from MD5/SHA-1 to Argon2 or BCrypt; enforcing TLS 1.3.
  3. Injection: Using Parameterized Queries (Prepared Statements) to prevent SQLi.
  4. Insecure Design: Threat modeling during the design phase.
  5. Security Misconfiguration: Hardening cloud buckets (S3) and disabling default admin credentials.

Tools:

  • OWASP ZAP: Integrated into CI/CD pipelines for Dynamic Application Security Testing (DAST).
  • Dependency-Check: Used to identify known vulnerabilities (CVEs) in third-party libraries (SCA).

💡 Interview "Gotchas" & Tips

  • Design vs. Code: In the 2021 update, "Insecure Design" was added. This means you can't just "fix" security with code; you must design it in (e.g., using "Secure by Default" principles).
  • The Difference between SAST and DAST: SAST (Static) scans code; DAST (Dynamic) tests the running app. Mentioning both shows depth.
  • Compliance: Mentioning OWASP in the context of GDPR or HIPAA demonstrates an understanding of how technical security maps to legal requirements.

📐 Suggested Architecture Primitives

  • WAF (Web Application Firewall): To block common Top 10 attacks at the edge (e.g., AWS WAF, Cloudflare).
  • API Gateway: For centralized authentication and rate limiting (preventing credential stuffing).
  • Vaults: Using HashiCorp Vault or AWS Secrets Manager for secret management.
  • Logging: Centralized, immutable logging (ELK/Splunk) for anomaly detection.
Canvas